I recently posted an article about check scams in Tulsa that cost them over $500,000.
Here is a long article describing more how it could happen in Lee County, FL.
It seems the Lee County Internal Auditor left the State, but said there was a big risk that poor controls over vendor files used for authorizing payments to vendors could let someone change a vendor's address, or create a fictional vendor, then initiate a process that would issue a check to the fictional vendor.
This article gives good detail on some of the risks when government agencies do not pay attention to standard accounting control and risk reduction processes.
In this case, they apparently don't review and control the massive vendor database they have.
The staff also apparently did not retain documentation on changes made to the vendor file.
None of the quotes by the accounting management were detailed enough for me to determine if they were valid.
Another War Story related to check scams: An IT computer operator used his access to the accounts payable software to issue several payables checks to himself in the 1970's for about $24,000 which he used as down payment on a house in Florida for his new wife. He would watch the mail, and intercept the bank statements, and alter them so that accounting would get a proper reconciliation until one bright accountant spotted the alteration, and called in the internal auditors. The operator did it because he worked for a manager who would never backup the operator or help during work crunches. The manager sat and read computer journals most of the time, and left right at 5pm even if the operator still had work pending.
Later, the subsidiary let the manager go also due to his poor management skills. The operator had to sell his house to pay the company back. The fired him, but did not prosecute once they received the funds back.
vj
=========================================
from the NaplesNew.com in Florida - Dec. 20, 2007
http://www.naplesnews.com/news/2007/dec/17/auditor-says-lee-schools-high-risk-fraud/
Auditor says Lee Schools at high risk for fraud
Database used to fill out $1.5 billion in checks in question
By MATT CLARK
Monday, December 17, 2007
A Lee County School District computer database used to fill out some of the $1.5 billion in checks the district writes each year is “at a high risk for fraud.”
That’s the finding of two reports submitted by a former school board auditor.
A national expert on such databases, which are used in many large corporations, has confirmed the auditor’s evaluation is “absolutely on target.”
District officials and school board members were informed of the porous controls on the vendor master file nine months ago, and have either rejected the recommended processes or delayed implementing new ones, according to auditor Julie Nieminski’s reports.
District staff also twice discarded documents that should have been kept. The documents at issue were used to verify changes made to the file, Nieminski’s final report said.
Nieminski left the district in late November to become the city auditor of Gresham, Ore. She previously served as an auditor for the Collier County School District and the city of Cape Coral. She is certified as a public accountant, fraud examiner, independent auditor and information systems auditor.
As Lee County School Board auditor for the past 20 months, Nieminski was responsible for determining whether the district was protecting its property from loss, damage or inappropriate use and complying with laws, regulations, policies and procedures.
District Budget Director Ami Desamours said Monday she disagreed that the controls are a “high risk.”
Desamours pointed out that Nieminski filed a report on the district’s purchasing processes in March and found no instances of fraud or intentional disregard for policies or procedures.
Of the more than 141,000 invoices the district filled last year, a sampling of 114 were examined for the report.
Desamours said the report is an example of the district’s processes working to prevent fraud. “If we believed that we are at a high risk for fraud, we would do something to mitigate that,” she said.
In the report, Nieminski also documented multiple shortcomings in the district’s purchasing processes. Her report said the file, which contains the names and addresses of about 30,000 vendors, both businesses and individuals, was not being checked periodically to ensure the information isn’t fraudulently manipulated.
Nieminski also suggested using a government form to ensure vendors are supplying the district with accurate information under penalty of perjury. The practice, she said, is considered a standard for maintenance of the files.
Author, consultant and educator Jon Casher, considered one of the country’s foremost experts on vendor master file practices by his peers, said he has recommended similar actions to companies.
Should someone with access to an unchecked vendor master file wish to do so, Casher said, he could change an address so checks would be sent to himself and then change the file back to cover his trail. As no reports are generated, he said, the changes would go unnoticed.
“It is the key control within the file to ensure that money which goes out the door goes to the right place,” he said.
Casher leads the Margate, Fla.-based consulting services company RECAP, Inc., which provides services to half of the top 10 U.S. banks. He said he has worked with companies that allowed similar weak controls to exist and lost several hundred thousand dollars as a result.
When Nieminski recommended the changes, the suggestion to check the file for manipulations was rejected, the report said. The management response contained in the report said the district refused Nieminski’s recommendation because all the forms used to request a change to the file have documentation attached confirming it is an accurate change. For instance, if a vendor’s address was being changed, an invoice or letter from the vendor with the new address would be attached.
But that doesn’t guard against the type of fraud Nieminski is likely concerned with, Casher said. It is those who have immediate access to the file she worries about. The changes they can make, Casher said, could be completed without any hard copy ever being generated.
As of Feb. 27, 2007, the number of people with direct, permanent access to the file was six, the purchasing report said. Only two of them are designated by the budget department to make changes to the file, the report said, and one of those is a backup person.
Desamours said the district’s current set of controls would prevent anyone from fraudulently manipulating the file and getting away with it. For instance, she said, before a check is created the name and address is checked against the information on a purchase order and invoice from the vendor. If they don’t match up, the person checking would know where to go: the six people with access to the file.
But up until last month, Casher said, all those in the district with purchasing authority may also have been able to manipulate the file and get away with it. If fraudulent changes requested by staff members went unnoticed for one year, he said, then evidence of the change would have been thrown away.
Casher’s evaluation is a reaction to other weaknesses Nieminski pointed out in both reports. In her purchasing report, she said the district should be maintaining copies of the forms submitted to make changes to the file for at least three years. The district, the report said, had only been keeping them for one year.
Casher said industry standards are to keep the forms for at least three years.
In a response to Nieminski’s recommendation, district management said it had implemented the change on Feb. 27, 2007. “All documentation concerning vendor changes and setup will be retained,” the response said.
But that’s not how it occurred, according to Nieminski.
In her final report, Nieminski said numerous forms had been discarded in May 2007 when the district budget office moved to a new building. Nieminski said the vendor setup clerk in charge of the forms indicated not being aware of the change.
Several months later, Nieminski said she returned to find the clerk was still not saving all of the forms, only those for business vendors were being saved. It was not until November, Nieminski said, that all forms were being saved for the full, three-year period.
Desamours said the district is currently considering incorporating the changes Nieminski recommended into a new financial software package it purchased in October. She said if the changes Nieminski recommended were to be completed now or at the time of the purchasing report, the cost in staff programming hours would have been considerable.
Because manipulating the vendor file would be caught through the district’s several other controls, Desamours said, instead of using the resources required to check the file “we will use our resources to create the new processes.”
In her purchasing report, Nieminski, who could not be reached for comment on this story, said the recommendations could be accomplished with existing resources. The new software package is being implemented by an outside firm in coordination with the district at a cost of $34 million.
If the changes Nieminski recommended are incorporated into the new software, Desamours said, the earliest they would go live is around January of 2009.
© Naples News
